In the Claims : 

Please cancel claims 6, 11, 19 and 42, without prejudice, and amend claims 
1, 3, 5, 8, 13, 15-16, 18, 22-25, and 27-28 as follows: 

1. (Currently Amended) A computer-readable recording medium 
for storing a computer program for detecting a worm by monitoring a communication of 
a predetermined network segment that is connected to a network and judging whether the 
communication is executed by a worm, the computer program causing a computer to 
perform: 

acquiring information related to a traffic and a communication address of a 
communication packet based on setting information including unit time for measurement ; 

judging whether the communication is executed by the worm based on the 
information acquired and a predetermined judgment criteria; 

extracting reference information for identifying a communication packet to 
be blocked from a plurality of communication packets transmitted in the communication 
upon it being judged at the judging that the communication is executed by the worm; 

blocking the communication packet that is transmitted between the 
predetermined network segment and the outside of the predetermined network segment 
based on the reference information extracted at the extracting; and 

changing the setting information upon it being judged at the judging that 
the communication is executed by the worm, 
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wherein the acquiring includes acquiring the information based on the 
setting information after a change changed at the changing . 

2. (Cancelled) 

3. (Currently Amended) A computer-readable recording medium 
for storing a computer program for detecting a worm by monitoring a communication of 
a predetermined network segment that is connected to a network and judging whether the 
communication is executed by a worm, the computer program causing a computer to 
perform: 

acquiring information related to a traffic and a communication address of a 
communication packet based on setting information including unit time for measurement ; 

judging whether the communication is executed by the worm based on the 
information acquired and a predetermined judgment criteria; 

extracting reference information for identifying a communication packet to 
be blocked from a plurality of communication packets transmitted in the communication 
upon it being judged at the judging that the communication is executed by the worm; 

blocking the communication packet that is transmitted between the 
predetermined network segment and the outside of the predetermined network segment 
based on the reference information extracted at the extracting; and 
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changing the judgment criteria upon it being judged at the judging that the 
communication is executed by the worm, wherein 

the judging includes further j udging whether the communication is 
executed by the worm based on the information acquired and the setting informat i on after 
a chang e j udgment criteria changed at the changing . 

4. (Previously Presented) The computer-readable recording 
medium according to claim 1, wherein the judging includes judging that a 
communication from a computer that is in the predetermined network segment is 
executed by the worm when 

there is an increase in number of communication packets as well as number 
of destination addresses of communication packets that are transmitted from the 
predetermined network segment to the outside. 

5. (Currently Amended) A computer-readable recording medium 
for storing a computer program for detecting a worm by monitoring a communication of 
a predetermined network segment that is connected to a network and judging whether the 
communication is executed by a worm, the computer program causing a computer to 
perform: 

acquiring information related to a traffic and a communication address of a 
communication packet based on setting information including unit time for measurement ; 
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first j udging whether the communication a computer in the predetermined 
network segment is execu t e d infected b y the worm based on the information acquired and 
a predetermined judgment criteria; 

second judging whether a plurality of computers in the predetermined 
network segment are infected by the worm; 

extracting reference information for identifying a communication packet to 
be blocked from a plurality of communication packets transmitted in the communication 
upon it being judged at the first j udging that the communication computer is executed 
infected by the worm; and 

blocking the communication packet that is transmitted between the 
predetermined network segment and the outside of the predetermined network segment 
based on the reference information extracted at the extracting, 

wherein the second j udging includes judging that a communication from a 
plurality of computers in the predetermined network segment is executed are infected by 
the worm when 

a communication from a the computer in the predetermined network 
segment is judged previously to be executed infected by the worm at the first judging, 

there is an increase in number of communication packets that are 
transmitted from the predetermined network segment to the outside, and 

the-anumber of destination addresses of the communication-paek-et packets 
that isare transmitted from the predetermined network segment to the outside becomes 
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greater than a number of destination addresses of-a the communication paeketpackets 
acqu i red transmitted from the predetermined network segment to the outside when the 
communication computer is judged to be executed infected by the worm at the first 
judging , and is transmitted from the predetermined network s egment to the outside . 

6-7. (Cancelled) 

8. (Currently Amended) A computer-readable recording medium for 
storing a computer program for detecting a worm by monitoring a communication of a 
predetermined network segment that is connected to a network and judging whether the 
communication is executed by a worm, the computer program causing a computer to 
perform: 

acquiring information related to a traffic and a communication address of a 
communication packet based on setting information including unit time for measurement ; 

judging whether the communication is executed by the worm based on the 
information acquired and a predetermined judgment criteria; 

extracting reference information for identifying a communication packet to 
be blocked from a plurality of communication packets transmitted in the communication 
upon it being judged at the judging that the communication is executed by the worm; and 
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blocking the communication packet that is transmitted between the 
predetermined network segment and the outside of the predetermined network segment 
based on the reference information extracted at the extracting, 

wherein the judging includes predicting a type of the worm by comparing 
features of a communication judged to be executed by a worm with features of a 
communication executed by a worm that4s are recorded in advance. 

9-12. (Cancelled) 

13. (Currently Amended) A method for detecting a worm by 
monitoring a communication of a predetermined network segment that is connected to a 
network and judging whether the communication is executed by a worm, comprising: 

acquiring information related to a traffic and a communication address of a 
communication packet based on setting information including unit time for measurement ; 

judging whether the communication is executed by the worm based on the 
information acquired and a predetermined judgment criteria; 

extracting reference information for identifying a communication packet to 
be blocked from a plurality of communication packets transmitted in the communication 
upon it being judged at the judging that the communication is executed by the worm; 
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blocking the communication packet that is transmitted between the 
predetermined network segment and the outside of the predetermined network segment 
based on the reference information extracted at the extracting; and 

changing the setting information upon it being judged at the judging that 
the communication is executed by the worm, 

wherein the acquiring includes acquiring the information based on the 
setting information after a chan ge changed at the changing . 

14. (Cancelled) 

15. (Currently Amended) A device for detecting a worm by monitoring 
a communication of a predetermined network segment that is connected to a network and 
judging whether the communication is executed by a worm, comprising: 

an acquiring unit that acquires information related to a traffic and a 
communication address of a communication packet based on setting information 
including unit time for measurement ; 

a judging unit that judges whether the communication is executed by the 
worm based on the information acquired and a predetermined judgment criteria; 

a reference information extracting unit that extracts reference information 
for identifying a communication packet to be blocked from a plurality of communication 
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packets transmitted in the communication upon it being judged by the judging unit that 
the communication is executed by the worm; 

a blocking unit that blocks the communication packet that is transmitted 
between the predetermined network segment and the outside of the predetermined 
network segment based on the reference information extracted by the reference 
information extracting unit; and 

a setting changing unit that changes the setting information upon it being 
judged by the judging unit that the communication is executed by the worm, wherein 

the acquiring unit acquires the information based on the setting information 
after a change changed by the setting changing unit . 

16. (Currently Amended) A device for detecting a worm by monitoring 
a communication of a predetermined network segment that is connected to a network and 
judging whether the communication is executed by a worm, comprising: 

an acquiring unit that acquires information related to a traffic and a 
communication address of a communication packet based on setting information 
including unit time for measurement ; 

a judging unit that judges whether the communication is executed by the 
worm based on the information acquired and a predetermined judgment criteria; 

a reference information extracting unit that extracts reference information 
for identifying a communication packet to be blocked from a plurality of communication 
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packets transmitted in the communication upon it being judged by the judging unit that 
the communication is executed by the worm; 

a blocking unit that blocks the communication packet that is transmitted 
between the predetermined network segment and the outside of the predetermined 
network segment based on the reference information extracted by the reference 
information extracting unit; and 

a setting changing unit that changes the judgment criteria upon it being 
judged by the judging unit that the communication is executed by the worm, wherein 

the judging unit further j udges whether the communication is executed by 
the worm based on the information acquired by the acquiring unit and the setting 
information aft e r a change judgment criteria changed at the changing . 

17. (Previously Presented) The device according to claim 15, wherein 
the judging unit judges that a communication from a computer that is in the 
predetermined network segment is executed by the worm when 

there is an increase in number of communication packets as well as number 
of destination addresses of communication packets that are transmitted from the 
predetermined network segment to the outside. 
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18. (Currently Amended) A device for detecting a worm by monitoring 
a communication of a predetermined network segment that is connected to a network and 
judging whether the communication is executed by a worm, comprising: 

an acquiring unit that acquires information related to a traffic and a 
communication address of a communication packet based on setting information 
including unit time for measurement ; 

a judging unit that judges at a first time w hether the communication is 
executed a computer in the predetermined network segment is infected by the worm 
based on the information acquired and a predetermined judgment criteria, and judges at a 
second time whether a plurality of computers in the predetermined network segment are 
infected by the worm ; 

a reference information extracting unit that extracts reference information 
for identifying a communication packet to be blocked from a plurality of communication 
packets transmitted in the communication upon it being judged at the first time by the 
judging unit that the communication computer is executed infected by the worm; 

a blocking unit that blocks the communication packet that is transmitted 
between the predetermined network segment and the outside of the predetermined 
network segment based on the reference information extracted by the reference 
information extracting unit, 
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wherein the judging unit judges at the second time that a communication 
from a plurality of computers in the predetermined network segment is e xecuted are 
infected by the worm when 

a communication from athe computer in the predetermined network 
segment is judged previously at the first time to be ex e cut e d infected by the worm, 

there is an increase in number of communication packets that are 
transmitted from the predetermined network segment to the outside, and 

the-a_number of destination addresses of the communication-^aek-et packets 
that isare transmitted from the predetermined network segment to the outside becomes 
greater than a number of destination addresses of athe communication packet packets 
acquired transmitte d f rom the predetermined network segment to the outside when the 
communication computer is judged at the first time to be exeeuted- infected by the worm; 
and is tran s mitted - from the predetennined network segment to th e outside . 

19-21. (Cancelled) 

22. (Currently Amended) A computer-readable recording medium for 
storing a computer program for detecting a worm by monitoring a communication of a 
predetermined network segment that is connected to a network and judging whether the 
communication is executed by a worm, the computer program causing a computer to 
perform: 
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acquiring information related to a traffic and a communication address of a 
communication packet based on setting informatio n including unit time for measurement ; 

judging whether the communication is executed by the worm based on the 
information acquired and a predetermined judgment criteria; 

extracting reference information for identifying a communication packet to 
be blocked from a plurality of communication packets transmitted in the communication 
upon it being judged at the judging that the communication is executed by the worm; and 

blocking the communication packet that is transmitted between the 
predetermined network segment and the outside of the predetermined network segment 
based on the reference information extracted at the extracting, 

wherein the extracting includes summing up a number of the 
communication packets for each port number, the communication packets being 
transmitted in the communication upon it being judged that the communication is 
executed by the worm at the judging, and extracting as the reference information, a most 
frequently appeared port number of the communication packets transmitted in the 
communication upon it being judged that the communication is executed by the worm at 
the judging. 

23. (Currently Amended) A method for detecting a worm by monitoring 
a communication of a predetermined network segment that is connected to a network and 
judging whether the communication is executed by a worm, comprising: 
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acquiring information related to a traffic and a communication address of a 
communication packet based on setting informatio n including unit time for measurement ; 

judging whether the communication is executed by the worm based on the 
information acquired and a predetermined judgment criteria; 

extracting reference information for identifying a communication packet to 
be blocked from a plurality of communication packets transmitted in the communication 
upon it being judged at the judging that the communication is executed by the worm; and 

blocking the communication packet that is transmitted between the 
predetermined network segment and the outside of the predetermined network segment 
based on the reference information extracted at the extracting, 

wherein the extracting includes summing up a number of the 
communication packets for each port number, the communication packets being 
transmitted in the communication upon it being judged that the communication is 
executed by the worm at the judging, and extracting as the reference information, a most 
frequently appeared port number of the communication packets transmitted in the 
communication upon it being judged that the communication is executed by the worm at 
the judging. 

24. (Currently Amended) A device for detecting a worm by monitoring 
a communication of a predetermined network segment that is connected to a network and 
judging whether the communication is executed by a worm, comprising: 
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an acquiring unit that acquires information related to a traffic and a 
communication address of a communication packet based on setting information 
including unit time for measurement ; 

a judging unit that judges whether the communication is executed by the 
worm based on the information acquired and a predetermined judgment criteria; 

a reference information extracting unit that extracts reference information 
for identifying a communication packet to be blocked from a plurality of communication 
packets transmitted in the communication upon it being judged by the judging unit that 
the communication is executed by the worm; and 

a blocking unit that blocks the communication packet that is transmitted 
between the predetermined network segment and the outside of the predetermined 
network segment based on the reference information extracted by the reference 
information extracting unit, ^ 

wherein the reference information extracting unit sums up a number of the 
communication packets for each port number, the communication packets being 
transmitted in the communication upon it being judged that the communication is 
executed by the judging unit, and extracts, as the reference information, a most frequently 
appeared port number of the communication packets transmitted in the communication 
upon it being judged that the communication is executed by the judging unit. 
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25. (Currently Amended) A computer-readable recording medium for 
storing a computer program for detecting a worm by monitoring a communication of a 
predetermined network segment that is connected to a network and judging whether the 
communication is executed by a worm, the computer program causing a computer to 
perform: 

acquiring information related to a traffic and a communication address of a 
communication packet based on setting information including unit time for measurement ; 

judging whether the communication is executed by the worm based on the 
information acquired and a predetermined judgment criteria; 

extracting reference information for identifying a communication packet to 
be blocked from a plurality of communication packets transmitted in the communication 
upon it being judged at the judging that the communication is executed by the worm; 

blocking the communication packet that is transmitted between the 
predetermined network segment and the outside of the predetermined network segment 
based on the reference information extracted at the extracting, 

wherein the extracting further includes summing up, for each direction of 
communication of a packet transmitted out from the predetermined network segment or 
transmitted to the predetermined network segment, a number of the communication 
packets transmitted in the communication upon it being judged that the communication is 
executed by the worm at the judging, and extracting, as the reference information, a 
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direction of the communication wherein the number of the communication packets is 
over a threshold value. 

26. (Cancelled) 

27. (Currently Amended) A method for detecting a worm by monitoring 
a communication of a predetermined network segment that is connected to a network and 
judging whether the communication is executed by a worm, comprising: 

acquiring information related to a traffic and a communication address of a 
communication packet based on setting information including unit time for measurement ; 

judging whether the communication is executed by the worm based on the 
information acquired and a predetermined judgment criteria; 

extracting reference information for identifying a communication packet to 
be blocked from a plurality of communication packets transmitted in the communication 
upon it being judged at the judging that the communication is executed by the worm; and 

blocking the communication packet that is transmitted between the 
predetermined network segment and the outside of the predetermined network segment 
based on the reference information extracted at the extracting, 

wherein the extracting further includes summing up, for each direction of 
communication of a packet transmitted out from the predetermined network segment or 
transmitted to the predetermined network segment, a number of the communication 
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packets transmitted in the communication upon it being judged that the communication is 
executed by the worm at the judging, and extracting, as the reference information, a 
direction of the communication wherein the number of the communication packets is 
over a threshold value. 

28. (Currently Amended) A device for detecting a worm by monitoring 
a communication of a predetermined network segment that is connected to a network and 
judging whether the communication is executed by a worm, comprising: 

an acquiring unit that acquires information related to a traffic and a 
communication address of a communication packet based on setting information 
including unit time for measurement ; 

a judging unit that judges whether the communication is executed by the 
worm based on the information acquired and a predetermined judgment criteria; 

a reference information extracting unit that extracts reference information 
for identifying a communication packet to be blocked from a plurality of communication 
packets transmitted in the communication upon it being judged by the judging unit that 
the communication is executed by the worm; and 

a blocking unit that blocks the communication packet that is transmitted 
between the predetermined network segment and the outside of the predetermined 
network segment based on the reference information extracted by the reference 
information extracting unit, 
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wherein the reference information extracting unit further sums up, for each 
direction of communication of a packet transmitted out from the predetermined network 
segment or transmitted to the predetermined network segment, a number of the 
communication packets transmitted in the communication upon it being judged that the 
communication is executed by the judging unit, and extracts, as the reference 
information, a direction of the communication wherein the number of the communication 
packets is over a threshold value. 

29-33. (Cancelled) 

34. (Previously Presented) A device for cutting off a communication 
executed by a worm by monitoring the communication between a predetermined network 
segment and outside of the predetermined network segment, comprising: 

a worm judging unit that judges whether a communication is executed by 

the worm; 

a reference information extracting unit that extracts reference information 
for identifying a communication packet to be blocked from a plurality of communication 
packets transmitted in the communication upon it being judged by the worm judging unit 
that the communication is executed by the worm; and 

a blocking unit that blocks the communication packet that is transmitted 
between the predetermined network segment and the outside of the predetermined 
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network segment based on the reference information extracted by the reference 
information extracting unit, 

wherein the reference information extracting unit sums up a number of the 
communication packets for each port number, the communication packets being 
transmitted in the communication upon it being judged that the communication is 
executed by the worm judging unit, and extracts, as the reference information, a most 
frequently appearing port number of the communication packets transmitted in the 
communication upon it being judged by the worm judging unit that the communication is 
executed by the worm. 

35. (Previously Presented) A device for cutting off a communication 
executed by a worm by monitoring the communication between a predetermined network 
segment and outside of the predetermined network segment, comprising: 

a worm judging unit that judges whether a communication is executed by 

the worm; 

a reference information extracting unit that extracts reference information 
for identifying a communication packet to be blocked from a plurality of communication 
packets transmitted in the communication upon it being judged by the worm judging unit 
that the communication is executed by the worm; and 

a blocking unit that blocks the communication packet that is transmitted 
between the predetermined network segment and the outside of the predetermined 
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network segment based on the reference information extracted by the reference 
information extracting unit, 

wherein the reference information extracting unit further sums up, for each 
direction of communication of a packet transmitted out from the predetermined network 
segment or transmitted to the predetermined network segment, a number of the 
communication packets transmitted in the communication upon it being judged by the 
worm judging unit that the communication is executed by the worm, and extracts, as the 
reference information, a direction of the communication wherein the number of the 
communication packets is over a threshold value. 

36-40. (Cancelled) 

41. (Previously Presented) The computer-readable recording 
medium according to claim 3, wherein the judging includes judging that a 
communication from a computer that is in the predetermined network segment is 
executed by the worm when 

there is an increase in number of communication packets as well as number 
of destination addresses of communication packets that are transmitted from the 
predetermined network segment to the outside. 



42. (Cancelled) 

21 



! 



43. (Previously Presented) The computer-readable recording 
medium according to claim 8, wherein the judging includes judging that a 
communication from a computer that is in the predetermined network segment is 
executed by the worm when 

there is an increase in number of communication packets as well as number 
of destination addresses of communication packets that are transmitted from the 
predetermined network segment to the outside. 
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